There is some malware process which is writing the folder $RECYCLE.BIN to every drive in my system. How can I find out which process is doing that. Is there a sysinternals tool? i'm pretty sure of some virus activity
Asked
Active
Viewed 84 times
2 Answers
1
The procmon utility will do what you're looking for, but if the virus writer is any good at what they do it won't catch it. If there is a rootkit on that system (very likely) then it is most assuredly hiding the virus processes from the Windows environment.
However, it's still worth a shot.
sysadmin1138
- 133,124
- 18
- 176
- 300
-
Another great, but young, tool: [APIMonitor](http://www.rohitab.com/apimonitor). He might also want to consider [RootkitRevealer](http://technet.microsoft.com/en-us/sysinternals/bb897445), since it sounds like something that will interest him. – songei2f Feb 11 '11 at 15:07
1
I could be wrong, but "%Recycle.bin" is actually a legitimate Windows folder. It's literally where the "Recycle Bin" goes (each drive has an individual one). If you disable the "Hide Protected Operating System Files (Recommended)" under Tools>Folder Options>View you can see these. So the malicious process your speaking of is a little program called Microsoft Windows 7. :D
Edit:any Windows user should be able to un check that box and see these files Another thing you can do to test though is Right click on the $Recycle.bin folder and go to properties Note its size delete something large(obviously a copy of it would be better you don't want to delete anything important!) Check the properties again, it should be larger(the size of whatever you deleted larger to be exact
Topherhead
- 31
- 1
- 3
- 10
-
Like @Topherhead said, I have lots of USB keys. I notice every time I mount them in Debian, Mac OS X, what have you (which is often) the folder is repopulated. This is because Windows needs to. The other common one you will see is `System Volume Information`, which is related to Restore Points and meta-data apparently. – songei2f Feb 11 '11 at 15:04